1

My company uses a webapp that's reachable on http://10.10.10.20/WebAPP running on IIS on Windows Server 2019.

Now, said WebAPP needs to be accessible via the internet, and thus SSL is needed - no problem I thought, I'll use NGINX as reverse proxy, as we do for many other sites, and call it a day.

But I then found out that WebAPP does not like very much when the requested URI is anything other than it's IP or Windows NetBIOS name.

So when trying to go to https://app.company.se/WebAPP I get a 500 Internal HTTP error, and looking through the logs for WebAPP sees that the request is coming from app.company.se/WebAPP which it does not like.

My NGINX configuration is as follows:

server {

  server_name webapp.company.com;

  location / {
        proxy_pass http://10.10.10.20;
        proxy_set_header   X-Forwarded-For $remote_addr;
        proxy_set_header   Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
  }

}

I have also tried adding: proxy_set_header X-Forwarded-Host "http://10.10.10.20/" to trick the webapp, but no dice.

So I think I just have to configure NGINX to simply not inform the WebAPP that there's someone else behind the NGINX Reverse Proxy asking for data, and as far as the WebAPP goes - the reverse proxy is the only one accessing the WebAPP.

Is this possible?

Emil G
  • 11
  • 1
  • 2

1 Answers1

0

The directive proxy_set_header Host $http_host; explicitly instructs nginx to use the use webapp.company.com as the HTTP Host: header when it is making requests to 10.10.10.20.

Simply omit that directive, or explicitly set it to the default value of proxy_set_header Host $proxy_host; and nginx will use Host: 10.10.10.20

Bob
  • 5,805
  • 7
  • 25
  • When I do that, I run into an infinite username / password loop from the WebAPP that normally only happens once. And the webtrace stills shows the proxy URL: Internal Web API - Unauthorized request: Referrer = webapp.company.com/WebAPP; Requested URI root = 10.10.10.20/WebAPP Strange. Any ideas what might cause that? – Emil G Apr 15 '21 at 06:59
  • @EmilG Looks like you also need to alter the `Referer` HTTP header. Check [this](https://serverfault.com/questions/757732/nginx-change-referer-for-proxy) one. – Ivan Shatsky Apr 17 '21 at 00:19
  • @IvanShatsky That did not seem to do anything else. I'm also not 100% what you mean, should I set refer to the reverse proxies IP-address? It also sends me into a credential loop where as normally it asks once. – Emil G Apr 19 '21 at 09:18
  • @EmilG Exactly, try `proxy_set_header Referer 10.x.x.x;` where 10.x.x.x is a proxy internal IP address (from 10.0.0.0/8 subnet). There can be a more complex case where you would need to substitute `10.x.x.x` instead of `webapp.company.com` leaving all the other string parts unchanged, but first give more simple `10.x.x.x` a try. – Ivan Shatsky Apr 19 '21 at 09:30